[Snort-sigs] Help to configure SNORT

Matt Kettler mkettler at ...189...
Tue Dec 23 13:15:02 EST 2003


At 02:07 PM 12/23/2003, Lorenzo Rossi wrote:
>Hi, I'm new to snort.

Fair enough. As a new user, may I point you in the direction of the 
snort-users mailing list?

snort-users is for general discussion and questions about usage, 
configuration, etc.

snort-sigs is for signature development work. Analysis of attacks, 
documentation writing, etc.


>Now I can see lots of lines like this:
>
>------------------------------------------------------
>#0-(1-8)
>
>(spp_stream4) TCP CHECKSUM CHANGED ON RETRANSMISSION (possible
>fragroute) detection


You should be able to get rid of these by configuring spp_stream4 with 
disable_evasion_alerts.

This is also the default setting in the default snort.conf, so I'm not sure 
why you've been getting these alerts.

False positives is part of the drawbacks of having the evasion alerts on. 
It detects "strange" behaviors, but there's a lot of broken tcp/ip stacks 
that are commonly used that look "strange"..  





More information about the Snort-sigs mailing list